Académique Documents
Professionnel Documents
Culture Documents
Davis Phillips
Annette Clewett
refarch-feedback@redhat.com
Legal Notice
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons
AttributionShare Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is
available at
http://creativecommons.org/licenses/by-sa/3.0/
. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must
provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert,
Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity
logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other
countries.
Linux is the registered trademark of Linus Torvalds in the United States and other countries.
XFS is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United
States and/or other countries.
MySQL is a registered trademark of MySQL AB in the United States, the European Union and
other countries.
Node.js is an official trademark of Joyent. Red Hat Software Collections is not formally related
to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack Word Mark and OpenStack logo are either registered trademarks/service marks
or trademarks/service marks of the OpenStack Foundation, in the United States and other
countries and are used with the OpenStack Foundation's permission. We are not affiliated with,
endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
Abstract
The purpose of this reference architecture is to provide a step-by-step on how to deploy and
manage Red Hat OpenShift Container Platform 3.6 on VMware vSphere. Additionally, the
document covers vSphere dynamic provisioning and Gluster for persistent container storage.
Table of Contents
Table of Contents
. . . . . . . . . . . . . AND
COMMENTS . . . . . FEEDBACK
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5. . . . . . . . . . . .
. . . . . . . . . . . 1.
CHAPTER . .EXECUTIVE
. . . . . . . . . . . . .SUMMARY
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6. . . . . . . . . . . .
. . . . . . . . . . . 2.
CHAPTER . . COMPONENTS
. . . . . . . . . . . . . . . .AND
. . . . . CONFIGURATION
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7. . . . . . . . . . . .
2.1. REFERENCE IMPLEMENTATION HARDWARE CONFIGURATION 8
2.2. VMWARE VCENTER AND VSPHERE DETAILS 9
2.3. VIRTUAL MACHINE INSTANCE DETAILS 9
2.4. HAPROXY LOAD BALANCER DETAILS 10
2.5. SOFTWARE VERSION DETAILS 10
2.6. REQUIRED CHANNELS 11
2.7. TOOLING PREREQUISITES 11
2.7.1. Git Repository 11
2.7.1.1. GitHub Repositories 11
2.7.1.2. Directory Setup 12
2.7.2. Ansible by Red Hat Setup 12
2.8. NETWORK COMPONENTS 15
2.8.1. DNS (Domain Name Server) Configuration 15
2.8.2. Hosted Zone Setup 16
2.8.3. Authentication 16
2.8.4. NFS (Network File System) Server 17
2.8.5. Load Balancer 18
2.9. VMWARE VCENTER PREREQUISITES 18
2.9.1. Networking 19
2.9.2. vCenter Shared Storage 19
2.9.3. Resource Pool, Cluster Name and Folder Location 20
2.9.4. SSH (Secure Shell) Prerequisite 20
2.9.4.1. SSH Configuration 20
2.9.5. VMware Template 21
2.9.6. Preparation Script 21
2.10. DYNAMIC INVENTORY 22
2.11. NODES 24
2.11.1. Master nodes 24
2.11.2. Infrastructure nodes 24
2.11.3. Application nodes 24
2.11.4. Node labels 25
2.12. RED HAT OPENSHIFT PODS 25
2.13. OPENSHIFT SDN 25
2.14. ROUTER 25
2.15. REGISTRY 26
2.16. OPENSHIFT METRICS 26
.CHAPTER
. . . . . . . . . . 3.
. . PROVISIONING
. . . . . . . . . . . . . . . . .THE
. . . . INFRASTRUCTURE
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
..............
3.1. PROVISIONING THE INFRASTRUCTURE WITH ANSIBLE BY RED HAT 27
3.1.1. Authentication Prerequisite 27
3.1.1.1. Create a Red Hat OpenShift lightweight directory access protocol (LDAP) BIND user account 27
3.2. OCP-ON-VMWARE.PY - VARIABLES 28
3.2.1. Sample Red Hat OpenShift Install Variables 30
3.3. OCP-ON-VMWARE.PY - INVENTORY 31
3.3.1. Sample Red Hat OpenShift Inventory Variables 33
3.3.2. VMware Configuration Variables 34
3.3.2.1. VMware Authentication Variables 35
1
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
.CHAPTER
. . . . . . . . . . 4.
. . .OPERATIONAL
. . . . . . . . . . . . . . . .MANAGEMENT
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
..............
4.1. VALIDATING THE DEPLOYMENT 45
4.2. GATHERING HOSTNAMES 45
4.3. RUNNING DIAGNOSTICS 46
4.4. CHECKING THE HEALTH OF ETCD 47
4.5. EXAMINING DEFAULT NODE SELECTOR 48
4.6. MANAGING OF MAXIMUM POD SIZE 48
4.7. CHECKING THE YUM REPOSITORIES 49
4.8. CONSOLE ACCESS 50
4.9. LOGGING INTO GUI (GRAPHICAL USER INTERFACE) CONSOLE AND DEPLOY AN APPLICATION 50
4.10. LOGGING INTO THE CLI (COMMAND-LINE INTERFACE) AND DEPLOY AN APPLICATION 50
4.11. EXPLORING THE ENVIRONMENT 52
4.11.1. Listing Nodes and Set Permissions 52
4.11.2. Listing Router and Registry 53
4.11.3. Exploring the Docker Registry 53
4.11.4. Exploring Docker Storage 55
4.12. TESTING FAILURE 56
4.12.1. Generating a Master Outage 56
4.12.2. Observing the Behavior of etcd with a Failed Master Node 57
4.12.3. Generating an Infrastruture Node outage 57
4.12.3.1. Confirming Application Accessibility 57
4.12.3.2. Confirming Registry Functionality 58
4.12.3.3. Get Location of Router and Registry. 59
4.12.3.4. Initiate the Failure and Confirm Functionality 60
4.13. UPDATING THE OPENSHIFT DEPLOYMENT 60
4.13.1. Performing the Upgrade 60
4.13.2. Upgrading and Restarting the OpenShift Environment (Optional) 60
4.13.3. Specifying the OpenShift Version when Upgrading 61
.CHAPTER
. . . . . . . . . . 5.
. . PERSISTENT
. . . . . . . . . . . . . . STORAGE
. . . . . . . . . . .CONCEPTS
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
..............
5.1. STORAGE CLASSES 62
5.2. PERSISTENT VOLUMES 62
. . . . . . . . . . . 6.
CHAPTER . . PERSISTENT
. . . . . . . . . . . . . . STORAGE
. . . . . . . . . . .OPTIONS
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
..............
6.1. VSPHERE CLOUD PROVIDER CONFIGURATION 63
6.1.1. vSphere Storage Class 63
6.1.2. VMDK Dynamic provisioning 64
6.2. CREATING AN NFS PERSISTENT VOLUME 65
6.2.1. Creating an NFS Persistent Volumes Claim 66
6.2.2. Deleting a Persistent Volumes Claim 66
6.3. CONTAINER-NATIVE STORAGE OVERVIEW 66
6.3.1. Prerequisites for Container-Native Storage 67
6.3.2. Deployment of CNS Infrastructure 67
6.3.3. Firewall Prerequisites 69
6.4. CNS INSTALLATION OVERVIEW 69
2
Table of Contents
. . . . . . . . . . . 7.
CHAPTER . . EXTENDING
. . . . . . . . . . . . . THE
. . . . .CLUSTER
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
..............
7.1. BEFORE ADDING A NODE 101
7.2. INTRODUCTION TO ADD-NODE.PY 101
7.3. ADDING AN APPLICATION NODE 102
7.4. ADDING AN INFRASTRUCTURE NODE 103
7.5. VALIDATING A NEWLY PROVISIONED NODE 103
. . . . . . . . . . . 8.
CHAPTER . . .CONCLUSION
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
...............
. . . . . . . . . . . . A.
APPENDIX . . .REVISION
. . . . . . . . . . HISTORY
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
...............
. . . . . . . . . . . . B.
APPENDIX . . .CONTRIBUTORS
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107
..............
. . . . . . . . . . . . C.
APPENDIX . . .QUICK
. . . . . . .STEPS:
. . . . . . . .HOW
. . . . . TO
. . . .INSTALL
. . . . . . . . .RED
. . . . .HAT
. . . . .OPENSHIFT
. . . . . . . . . . . . .CONTAINER
. . . . . . . . . . . . .PLATFORM
. . . . . . . . . . . . . . . . . . . . . . 108
...............
. . . . . . . . . . . . D.
APPENDIX . . .TROUBLESHOOTING
. . . . . . . . . . . . . . . . . . . . . ANSIBLE
. . . . . . . . . . BY
. . . .RED
. . . . .HAT
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
...............
. . . . . . . . . . . . E.
APPENDIX . . INSTALLATION
. . . . . . . . . . . . . . . . .FAILURE
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
..............
E.1. INVENTORY 110
E.2. RUNNING THE UNINSTALL PLAYBOOK 111
E.3. MANUALLY LAUNCHING THE INSTALLATION OF RED HAT OPENSHIFT 111
E.4. STARTING COMPLETELY OVER 111
E.5. TROUBLESHOOTING CNS DEPLOYMENT FAILURES 111
. . . . . . . . . . . . F.
APPENDIX . . REVISION
. . . . . . . . . . . HISTORY
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
..............
3
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
4
COMMENTS AND FEEDBACK
5
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
The target audience for this reference architecture would be a system administrator or system
architect with solid background with VMware. Some experience with Docker and OpenShift would be a
positive, but it is not required. The subsequent chapters following the deployment will cover cluster
administration and validation topics.
If reference architecture has already been read see the following steps in Appendix C, Quick Steps: How
to install Red Hat OpenShift Container Platform section.
6
CHAPTER 2. COMPONENTS AND CONFIGURATION
The image, shown below in Figure 1, provides a high-level representation of the components within this
reference architecture. Virtual machine (VM) resources are highly available using VMware
technologies; VMware HA (high availability), storage IO (input/output) control, and resource allocation
via hypervisor affinity and anti-affinity rules. The Ansible host is a virtual machine and acts as the
entrypoint for access to the hosts and performs configuration of the internal servers by ensuring that
all Secure Shell (SSH) traffic passes through it.
The master instances host the OpenShift master components such as ETCD and the OpenShift API.
The application instances are for users to deploy their containers while the infrastructure instances
are used for the OpenShift router and registry roles. Authentication is managed by Microsoft Active
Directory via lightweight directory access protocol (LDAP) authentication. OpenShift on VMware has
two cloud native storage options; virtual machine persistent storage and network file system (NFS).
Virtual machine persistent storage is housed on virtual machine disk VMDKs on datastores located on
external logical unit numbers (LUNs) or NFS shares.
The other storage utilized is NFS which is file based storage. NFS is used for the persistent storage of
the OpenShift registry and used for persistent volume claims for containers. The network is configured
to leverage a single load balancer for access to the OpenShift API & Console (8443/tcp) and the
OpenShift routers (80/tcp, 443/tcp). Finally, the image shows that domain name system (DNS) is
handled by an external DNS source. This DNS source should be pre-configured with the proper entries
prior to deployment. In this case the system engineering team is managing all DNS entries through a
BIND server and a conditional lookup zone in Microsoft DNS.
This reference architecture breaks down the deployment into separate phases.
7
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
For Phase 1, the provisioning of the environment is done using a series of Ansible playbooks that are
provided in the openshift-ansible-contrib github repo.
Once the infrastructure is deployed, the playbooks will flow automatically into Phase 2. Phase 2 is the
provisioning of OpenShift Container Platform, which is done via the Ansible playbooks installed by the
openshift-ansible-playbooks rpm package.
The last phase, Phase 3, concludes the deployment by confirming the environment was deployed
properly. This is done by running command line tools and the systems engineering teams validation
Ansible playbook.
NOTE
The scripts provided in the github repo are not supported by Red Hat. They merely
provide a mechanism that can be used to build out your own infrastructure.
The reference architecture environment consists of a Dell m1000e chassis with a number of Dell
PowerEdge M520 blades configured as described in the Table 2.1, Hardware Details table. This
reference architecture creates by default:
3 OpenShift masters
To implement a highly available ETCD, each master will also be configured to run ETCD. The
infrastructure nodes will host registry and router applications, while the application nodes will host end
user applications.
Hardware Specifications
96GB of memory
8
CHAPTER 2. COMPONENTS AND CONFIGURATION
Hardware Specifications
ose3-vmware-prod - 500GB
Shared storage for the environment has been provisioned on a Dell Equallogic PS4210 array. Storage
was presented to our VMware vSphere hosts via 2 iSCSI LUNs. SIOC Storage I/O Control was disabled
on these datastores.
vsphere1 10.x.x.88
vsphere2 10.x.x.89
Software Version
Master 2 vCPU
16GB RAM
9
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
Node 2 vCPU
8GB RAM
All instances for the OpenShift environment are built from the same template. The master instances
contain three extra disks used for Docker storage and ETCD and OpenShift volumes. The application
node instances use their additional disks for Docker storage and OpenShift volumes.
The wildcard DNS *.apps uses the public subnets and maps to infrastructure nodes. The infrastructure
nodes run the router pod which, then directs traffic directly from the outside world into OpenShift pods
with external routes defined.
If the keepalived high availability is utilized the IP address of the wildcard DNS will need to point
towards the virual IP address assigned to lb-ha-ip in the ocp-on-vmware.ini.
10
CHAPTER 2. COMPONENTS AND CONFIGURATION
Table 5 shows the installed software and versions installed on the servers in this Red Hat OpenShift
highly available reference environment.
Software Version
Atomic-OpenShift{master/clients/node/sdn- 3.6.x.x
ovs/utils}
Docker 1.12.x
Table 2.7. Required Channels Red Hat OpenShift Container Platform 3 Master and Node Instances
Red Hat Satellite Tools 6.2 (for Red Hat Enterprise rhel-7-server-satellite-tools-6.2-rpms
Linux 7 Server) (RPMs)
The code in the openshift-ansible-contrib repository referenced below handles the installation of Red
Hat OpenShift and the accompanying infrastructure. The openshift-ansible-contrib repository is not
explicitly supported by Red Hat.
11
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
NOTE
The following task should be performed on the server that the Ansible playbooks will be
launched from.
The initial deployment setup can be largely automated by downloading the setup_ansible shell script.
The content of the script is discussed in detail below.
$ wget https://raw.githubusercontent.com/openshift/openshift-ansible-
contrib/vmw-3.6/reference-architecture/vmware-
ansible/scripts/setup_ansible.sh
$ chmod +x setup_ansible.sh
The only prerequisite for running the setup script is to ensure that the system you are running from
has a valid RHN subscription attached. That can be checked with the following command:
# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 0.9.51.24-1
subscription management rules: 5.15.1
subscription-manager: 1.19.21-1.el7
python-rhsm: 1.19.9-1.el7
Install the following packages on the system performing the provisioning of VMware infrastructure and
installation of Red Hat OpenShift.
NOTE
The following task should be performed on the server that the Ansible playbooks will be
launched from.
# ./setup_ansible.sh
12
CHAPTER 2. COMPONENTS AND CONFIGURATION
To verify the repository was cloned the tree command can be used to display all of the contents of the
git repository.
|-- openshift-ansible-contrib
Before getting started with Ansible, first open ocp-on-vmware.ini and populate the configuration file
with your environments information.
$ vim ~/git/openshift-ansible-contrib/reference-architecture/vmware-
ansible/ocp-on-vmware.ini
[vmware]
# unique cluster_id set during script run
cluster_id=
# console port and install type for OpenShift
console_port=8443
deployment_type=openshift-enterprise
# OpenShift Version
openshift_vers=v3_6
# DNS zone where everything will be hosted and app wildcard prefix
public_hosted_zone=
app_dns_prefix=apps
13
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
#create_inventory vars
# number of nodes of each type
master_nodes=3
infra_nodes=3
app_nodes=3
storage_nodes=0
# create_ocp_vars vars
# ldap bind user/password and FQDN ldap domain
ldap_user=openshift
ldap_user_password=
ldap_fqdn=
The default values are pre-populated. But, the required values are:
public_hosted_zone
vcenter_host
vcenter_password
vcenter_datacenter
14
CHAPTER 2. COMPONENTS AND CONFIGURATION
vcenter_datastore
vm_ipaddr_start
ldap_fqdn
ldap_user_password
vm_dns
vm_gw
vm_netmask
Some explaination of the variables are available Table 3.1, Red Hat OpenShift Installation Variables
Lastly, your satellite servers address or your Red Hat Network Classic1 username and password for the
installation of OpenShift.
NOTE
The cluster_id value will be generated automatically when the inventory creation
parameter is run via ocp-on-vmware.py.
OpenShift Container Platform requires a properly configured wildcard DNS zone that resolves to the IP
address of the OpenShift router. For more information, please refer to the OpenShift Container
Platform installation guide. In this reference architecture the --create_inventory parameter on the
ocp-on-vmware.py script will help manage DNS records for the OpenShift Container Platform
environment.
If applications will be hosted externally, a public zone will be required for the setup. However an
internal DNS zone can also be specified instead. This assumes the values have been populated in ocp-
on-vmware.ini.
$ ./ocp-on-vmware.py --create_inventory
15
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
$ORIGIN apps.vmware.example.com.
* A 10.x.x.235
$ORIGIN vmware.example.com.
nfs-0 A 10.x.x.224
haproxy-0 A 10.x.x.235
ocp3-master-0 A 10.x.x.225
ocp3-master-1 A 10.x.x.226
ocp3-master-2 A 10.x.x.227
ocp3-app-0 A 10.x.x.228
ocp3-app-1 A 10.x.x.229
ocp3-app-2 A 10.x.x.230
ocp3-infra-0 A 10.x.x.231
ocp3-infra-1 A 10.x.x.232
ocp3-infra-2 A 10.x.x.233
$ORIGIN apps.vmware.example.com.
* A 10.x.x.235
$ORIGIN vmware.example.com.
haproxy-0 A 10.x.x.235
NOTE
The same steps listed above are applicable when using a subdomain as a subdomain can
also be used.
2.8.3. Authentication
There are several options when it comes to authentication of users in Red Hat OpenShift Container
Platform. OpenShift can leverage an existing identity provider within an organization such as LDAP, or
OpenShift can use external identity providers like GitHub, Google, and GitLab. The configuration of
identity providers occurs on the OpenShift master instances. OpenShift allows for multiple identity
providers to be specified. This reference architecture document uses LDAP as the authentication
provider but any of the other mechanisms would be an acceptable choice. Roles can be added to user
accounts to allow for extra privileges, such as the ability to list nodes or assign persistent storage
volumes to a project.
For more information on GitHub OAuth and other authentication methods see the Red Hat OpenShift
documentation.
The pertinent OpenShift variables for LDAP authentication are listed below:
openshift_master_identity_providers:
- name: Active_Directory
challenge: true
16
CHAPTER 2. COMPONENTS AND CONFIGURATION
login: true
kind: LDAPPasswordIdentityProvider
attributes:
id:
- dn
email:
- mail
name:
- cn
preferredUsername:
- uid
insecure: true
url: "ldap://example.com:389/cn=users,dc=example,dc=com?sAMAccountName"
bindDN: "cn=openshift,cn=users,dc=example,dc=com"
bindPassword: "password"
OpenShift needs the fully qualified domain name (FQDN) of the LDAP server in question. An OpenShift
user was created in the users organizational unit (OU) and assigned the password of password. To use
a specific OU for users to authenticate against, create the BIND distinguished name in the desired OU.
This provides a way to isolate logins to a specific group by adding an OU and restricting logins to
members of that OU.
The ocp-on-vmware.py script that executes the install variables does an LDAP bind and verifies
the information provided allows for a successful bind.
The LDAP server configuration can be manually tested (or validated) with the following query:
There are two methods to provide NFS storage for the registry:
Creating a custom NFS using the script: byo_nfs = False The playbooks will default to creating
an NFS server for storage
Precreated NFS: byo_nfs = True To leverage an existing on-premise NFS, define the following
variables in the deployment script INI file:
$ vim ~/git/openshift-ansible-contrib/reference-architecture/vmware-
ansible/ocp-on-vmware.ini
17
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
The infra nodes will be utilized to load balance traffic from 80 and 443. The master nodes will be used
to load balance our console port 8443. All three of these ports will be transmission control protocol
(TCP) connections.
There are three methods to provide load balancing for the cluster:
$ *vim ~/git/openshift-ansible-contrib/reference-architecture/vmware-
ansible/ocp-on-vmware.ini*
# HA haproxy config
lb_ha_ip=
... content abbreviated ...
Ensure that the proper ports are configured on your existing load balancer and additionally make sure
that your wildcard DNS record points to it as well.
18
CHAPTER 2. COMPONENTS AND CONFIGURATION
Technologies such as SIOC and VMware HA should already be configured. After the environment is
provisioned, some anti-affinity rules will be established to ensure maximum uptime and optimal
performance.
2.9.1. Networking
An existing port group and virtual LAN (VLAN) are required for deployment. The initial configuration of
the Red Hat OpenShift nodes in this reference architecture assumes you will be deploying VMs to a
port group called "VM Network". This can be changed in the ocp-on-vmware.ini file under the variable:
vm_network. Once deployed vmtoolsd is used to determine the static addresses.
The environment can utilize a virtual dedicated server (vDS) or vSwitch. The specifics of that are
unimportant. However, should you wish to utilize network IO control and some of the quality of service
(QoS) technologies that VMware employs, you would need to choose a vDS for the deployment.
19
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
NOTE
Some storage providers such as Dell Equallogic advise to disabled storage I/O control
(SIOC) as the array optimizes it. Check with your storage provider for details.
The setup playbook in ansible creates a folder and resource pool via the defined values in ocp-on-
vmware.ini the defaults are ocp36.
Creates a folder for the Red Hat OpenShift VMs for logical organization named: "ocp36"
Ensure this folder exists under the datacenter and cluster you will use for deployment
This will allow you to use default names and not force you to customize outside of these entries. If you
would like to customize the names feel free to but, remember to specify them later on during the
Section 3.1, Provisioning the Infrastructure with Ansible by Red Hat section.
Before beginning the deployment of the VMware infrastructure and the deployment of Red Hat
OpenShift, a specific SSH configuration must be in place to ensure that the proper SSH keys are used
during the provisioning process.
NOTE
The following task should be performed on the server where the Ansible playbooks will
be launched.
20
CHAPTER 2. COMPONENTS AND CONFIGURATION
|. . * = = + |
|... . B . = . |
+----[SHA256]-----+
$ ssh-copy-id root@ipaddress_of_template
NOTE
The ocp-on-vmware script will copy over the users ssh id_rsa to the ssh key ansible
expects at ~/git/openshift-ansible-contrib/reference-architecture/vmware-
ansible/ssh_key/ocp-installer
Please note, that you are encouraged to copy over your public key "~/.ssh/id_rsa.pub" to the
templates authorized_keys file ahead of time. The ssh-copy-id above accomplishes that task.
Any image that meets the prerequisites mentioned above should suffice. The Ansible playbooks will
copy over keys or you could prepare the the authorized_keys section ahead of time. The default
vcenter_template_name is "ocp3-server-template-2.0.2". Obviously, this can be customized to your
environment at runtime.
Prepare the virtual machine to meet the specified requirements listed in the system requirements
section of the docs:
2 vCPU
8GB RAM
Application nodes running CNS require 32GB of RAM. This will be discussed later in the
storage section.
1 x 60GB drive
The masters require an additional drive 40GB drive for ETCD storage
#!/bin/bash
#
# This file will prepare a RHEL7.4 instance for being converted to a
VMware template
# used as an OpenShift Enterprise host
21
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
The dynamic inventory script is also referred to as an Ansible inventory script and the VMware specific
script is written in Python. The script can can be manually executed to provide information about the
environment, but for this reference architecture it is automatically called to generate the Ansible
inventory.
This particular inventory script utilizes VMwares pyVMomi Python software development kit (SDK) for
querying vCenter. Some modifications to the default INI configuration file are shown below.
22
CHAPTER 2. COMPONENTS AND CONFIGURATION
For the Red Hat OpenShift installation, the Python script and the Ansible module add_host allow for
instances to be grouped based on their purpose to be used in later playbooks. During Phase 1, the
infrastructure is provisioned with VMware annotations. The VMware annotations provide the ability to
group instances.
The annotation uses the following layout. A randomly generated cluster_id plus master, app, infra,
loadbalancer or networkfs.
master master
app app
infra infra
NFS networkfs
HAproxy loadbalancer
The interesting parts of output from our inventory script are shown below:
"3e06olsus6x2rbgcxw4t-app": {
"hosts": [
"app-2",
"app-1",
"app-0"
23
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
]
},
"3e06olsus6x2rbgcxw4t-infra": {
"hosts": [
"infra-0",
"infra-1",
"infra-2"
]
},
"3e06olsus6x2rbgcxw4t-master": {
"hosts": [
"master-1",
"master-0",
"master-2"
2.11. NODES
Nodes are VMware virtual machines that serve a specific purpose for Red Hat OpenShift. OpenShift
masters are also considered nodes. Nodes deployed on VMware can be horizontally scaled or scaled
out before or after the OpenShift installation using the create_inventory flag in the deployment script.
The masters:
The masters are used to define routes, services, and volume claims for pods deployed within the
OpenShift environment.
24
CHAPTER 2. COMPONENTS AND CONFIGURATION
configuration parameter is set on the master which ensures that Red Hat OpenShift Container
Platform user containers will be placed on the application nodes by default.
Red Hat OpenShift pods have the ability to be scaled at runtime or at the time of launch using the
OpenShift console or the oc CLI tool. Any container running in the environment is considered a pod.
The pods containing the OpenShift router and registry are required to be deployed in the OpenShift
environment.
The ovs-subnet plug-in is the original plug-in which provides a "flat" pod network where every
pod can communicate with every other pod and service.
The ovs-multitenant plug-in provides OpenShift Container Platform project level isolation for
pods and services. Each project receives a unique Virtual Network ID (VNID) that identifies
traffic from pods assigned to the project. Pods from different projects cannot send packets to
or receive packets from pods and services of a different project.
2.14. ROUTER
Pods inside of a Red Hat OpenShift cluster are only reachable via their IP addresses on the cluster
network. An edge load balancer can be used to accept traffic from outside networks and proxy the
traffic to pods inside the OpenShift cluster.
An OpenShift administrator can deploy routers in an OpenShift cluster. These enable routes created
by developers to be used by external clients.
OpenShift routers provide external hostname mapping and load balancing to services over protocols
that pass distinguishing information directly to the router; the hostname must be present in the
protocol in order for the router to determine where to send it. Routers support the following protocols:
HTTP
25
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
WebSockets
The router utilizes the wildcard zone specified during the installation and configuration of OpenShift.
This wildcard zone is used by the router to create routes for a service running within the OpenShift
environment to a publicly accessible URL. The wildcard zone itself is a wildcard entry in DNS which is
linked using a Canonical Name record (CNAME) to a load balancer, which performs a health check and
forwards traffic to router pods on port 80 and 443.
2.15. REGISTRY
Red Hat OpenShift can build Docker images from your source code, deploy them, and manage their life
cycle. To enable this, OpenShift provides an internal, integrated Docker registry that can be deployed
in your OpenShift environment to manage images.
The registry stores Docker images and metadata. For production environment, you should use
persistent storage for the registry, otherwise any images anyone has built or pushed into the registry
would disappear if the pod were to restart.
Using the installation methods described in this document the registry is deployed using an NFS share.
The NFS share allows for multiple pods to be deployed at once for HA but also use the same persistent
backend storage. NFS is file based storage which does not get assigned to nodes in the same way that
VMDK volumes are attached and assigned to a node. The share does not mount as block-based storage
to the node so commands like fdisk or lsblk will not show information in regards to the NFS share.
The configuration for the NFS share is completed via an Ansible playbook. Users of this reference
architecture can also bring their own NFS server and share name should an existing resource exists
on-premise.
When metrics are deployed, persistent storage should be use to allow for metrics to be preserved.
Metrics data by default is stored for 7 days unless specified.
26
CHAPTER 3. PROVISIONING THE INFRASTRUCTURE
3.1.1.1. Create a Red Hat OpenShift lightweight directory access protocol (LDAP) BIND user
account
An existing user account can be utilized or a new account can be created. Below, we have created the
user openshift in our default users organizational unit or OU. The location does not matter as our
wrapper script will search LDAP for the distinguished name and return our full path to the user
account.
27
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
In our example above, our important OpenShift authentication variables would be:
url:
ldap://e2e.bos.redhat.com:389/CN=Users,DC=e2e,DC=bos,DC=redhat,DC=com?
sAMAccountName
bindDN: CN=openshift,CN=Users,DC=e2e,DC=bos,DC=redhat,DC=com
bindPassword: password
NOTE
The following task should be performed on the server that the Ansible playbooks will be
launched.
This will be our first hands on experience with ocp-on-vmware.py. Within the openshift-ansible-contrib
git repository is a python script called ocp-on-vmware.py that launches VMware resources and installs
Red Hat OpenShift on the new resources. The OpenShift install Ansible playbook requires a few
28
CHAPTER 3. PROVISIONING THE INFRASTRUCTURE
variables for a successful installation. This will include both authentication variables and the network
FQDN variables.
$ cd ~/git/openshift-ansible-contrib/reference-architecture/vmware-
ansible/
$ ./ocp-on-vmware.py --create_ocp_vars
Configured OCP variables:
auth_type: ldap
ldap_fqdn: e2e.bos.redhat.com
ldap_user: openshift
ldap_user_password: password
public_hosted_zone: vcenter.example.com
app_dns_prefix: apps
byo_lb: False
lb_fqdn: haproxy-0
Using values from: ./ocp-on-vmware.ini
Continue using these values? [y/N]:
29
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
As noted above we will need the username and password created to bind to LDAP. We will also need
your LDAP FQDN to locate your server. If the LDAP source is Microsofts Active Directory, the location
where you are running the ocp-on-vmware.py will need the ability to locate service records (SRVs) for
your domain using DNS.
The wildcard zone is a combination of the app_dns_prefix and the public_hosted_zone. This will be the
FQDN that OpenShift uses for deployed applications and the load balancer FQDN will serve as the
OpenShift clusters hostname and public hostname for cluster configuration purposes.
$ vim ~/git/openshift-ansible-contrib/reference-architecture/vmware-
ansible/ocp-on-vmware.ini
# DNS zone where everything will be hosted and app wildcard prefix
public_hosted_zone=example.com
app_dns_prefix=apps
# create_ocp_vars vars
# ldap bind user/password and FQDN ldap domain
ldap_user=openshift
ldap_user_password=password
ldap_fqdn=example.com
$ cd ~/git/openshift-ansible-contrib/reference-architecture/vmware-
ansible/
./ocp-on-vmware.py --create_ocp_vars
Once the script runs the ocp-install.yaml file that contains the Ansible variables for the OCP
installation is modified with above variables
An example is below:
$ vim ~/git/openshift-ansible-contrib/reference-architecture/vmware-
ansible/playbooks/ocp-install.yaml
... ommitted ...
wildcard_zone: apps.example.com
osm_default_subdomain: "{{ wildcard_zone }}"
load_balancer_hostname: haproxy-0.example.com
openshift_master_cluster_hostname: "{{ load_balancer_hostname }}"
openshift_master_cluster_public_hostname: "{{ load_balancer_hostname }}"
30
CHAPTER 3. PROVISIONING THE INFRASTRUCTURE
openshift_master_identity_providers:
- name: Active_Directory
challenge: true
login: true
kind: LDAPPasswordIdentityProvider
attributes:
id:
- dn
email:
- mail
name:
- cn
preferredUsername:
- uid
insecure: true
url: ldap://example.com:389/CN=Users,DC=example,DC=com?sAMAccountName
bindDN: CN=openshift,CN=Users,DC=example,DC=com
bindPassword: password
... ommitted ...
NOTE
The following task should be performed on the server where the Ansible playbooks will
be launched.
Now that our installation variables are complete, define the infrastructure requirements.
WARNING
Before deployment the VLAN used as a deploy target, should have a portgroup
named "VM Network" available. Also in the VLAN should be a set of contiguous IP
Addresses with enough addresses to cover our deployment components. If you are
bringing your own NFS or loadbalancer those IPs could be omitted.
Wildcard IP Address, this will also be the target for our load balancer
The number of storage nodes you wish to install (This will be explained in the storage chapter)
Provided these requirements are defined, populate the entries in the VMware guest inventory file.
31
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
$ vim ~/git/openshift-ansible-contrib/reference-architecture/vmware-
ansible/ocp-on-vmware.ini
#create_inventory vars
# number of nodes of each type
master_nodes=3
infra_nodes=3
app_nodes=3
$ cd ~/git/openshift-ansible-contrib/reference-architecture/vmware-
ansible/
./ocp-on-vmware.py --create_inventory
Configured inventory values:
master_nodes: 3
infra_nodes: 3
app_nodes: 3
public_hosted_zone: example.com
app_dns_prefix: apps
ocp_hostname_prefix:
byo_nfs: False
nfs_host: nfs-0
byo_lb: False
lb_host: haproxy-0
vm_ipaddr_start: 10.x.x.224
Using values from: ./ocp-on-vmware.ini
32
CHAPTER 3. PROVISIONING THE INFRASTRUCTURE
A possibility for scaling against your environment could be to create an equal number of master nodes
per the number of hypervisors. Remember that the ETCD cluster requires an odd number of nodes for
cluster election This would allow us to create anti-affinity rules separating the master nodes and
allowing for maximum uptime. However, you can customize the number of all your nodes for the
environment by modifying the value of the app_nodes, master_nodes, and infra_nodes variables.
Our wrapper script basically takes the number of nodes you will be building and increments your
vm_ipaddr_start with that. Lets build a sample configuration that matches our OpenShift install
variables above.
$ vim ~/git/openshift-ansible-contrib/reference-architecture/vmware-
ansible/ocp-on-vmware.ini
#create_inventory vars
# number of nodes of each type
master_nodes=3
infra_nodes=3
app_nodes=3
33
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
$ cd ~/git/openshift-ansible-contrib/reference-architecture/vmware-
ansible/
./ocp-on-vmware.py --create_inventory --no-confirm
As you can see based on our input we have the guidelines for our DNS zone creation or modification.
Also, the wildcard_zone record is shown with our supplied public_hosted_zone and the default
app_dns_prefix of apps. Additionally, in that directory we have created a dynamic base inventory file
infrastructure.json with the specifics to provisioning the environment.
ocp3-master-0:
guestname: ocp3-master-0
tag: 3e06olsus6x2rbgcxw4t-master
ip4addr: 10.19.114.225
Note the "tag: 3e06olsus6x2rbgcxw4t-master" in the entry. This will be the annotation created on the
virtual machine and is how OpenShift labels are generated for the VMware virtual machines.
34
CHAPTER 3. PROVISIONING THE INFRASTRUCTURE
To connect to our vCenter server and be able to provision VMs with our Ansible playbooks, we will need
three components:
Once we have these three authentication variables, the remaining variables as described in
Section 2.9, VMware vCenter Prerequisites are:
vcenter_template_name
vcenter_folder
vcenter_cluster
vcenter_resource_pool
vcenter_datacenter
vcenter_datastore
vm_gw
35
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
vm_dns
vm_netmask
The ocp-on-vmware.py script contains many different configuration options such as configuring Red
Hat Network Classic1 vs. Red Hat Satellite Server.
To see all of the potential options, check out the INI file.
$ cd ~/git/openshift-ansible-contrib/reference-architecture/vmware-
ansible/
$ vim ~/git/openshift-ansible-contrib/reference-architecture/vmware-
ansible/ocp-on-vmware.ini
[vmware]
# console port and install type for OpenShift
console_port=8443
deployment_type=openshift-enterprise
For deploying Red Hat OpenShift into a new environment, ocp-on-vmware.py creates our virtual
machines, deploys and configures an HAproxy load balancer and an NFS server for registry storage.
Once the values have been entered into the ocp-on-vmware.py script, all values will be presented from
the configuration file and the script will prompt to continue with the values or exit.
Additionally, the VMware specific variables below are using the defaults as discussed in Section 2.9,
VMware vCenter Prerequisites.
$ cd ~/git/openshift-ansible-contrib/reference-architecture/vmware-
ansible/
$ ./ocp-on-vmware.py
36
CHAPTER 3. PROVISIONING THE INFRASTRUCTURE
Configured values:
console_port: 8443
deployment_type: openshift-enterprise
vcenter_host: 10.x.x.25
vcenter_username: administrator@vsphere.local
vcenter_password:
vcenter_template_name: ocp-server-template-2.0.2
vcenter_folder: ocp36
vcenter_cluster: devel
vcenter_datacenter: Boston
vcenter_datastore: ose3-vmware-prod
vcenter_resource_pool: ocp36
public_hosted_zone: vcenter.example.com
app_dns_prefix: apps
vm_dns: 10.x.x.5
vm_gw: 10.x.x.254
vm_netmask: 255.255.255.0
vm_network: VM Network
byo_lb: False
lb_host: haproxy-0.vcenter.example.com
byo_nfs: False
nfs_registry_host: nfs-0.vcenter.example.com
nfs_registry_mountpoint: /registry
apps_dns: apps.vcenter.example.com
openshift_sdn: redhat/openshift-ovs-subnet
openshift_hosted_metrics_deploy: false
container_storage: none
The ocp-on-vmware.py script allows for deployments into an existing environment in which VMs
already exists and are subscribed to the proper Red Hat Enterprise Linux channels. The prerequisite
packages will be installed. The script expects the proper VM annotations are created on your VMs as
described in Section 2.10, Dynamic Inventory . A cluster_id can be manually created. Then App
nodes will be labeled "app", infra nodes labeled "infra" and master nodes labeled as "master."
Lastly, the prepared VMs must also have two additional hard disks as the OpenShift setup needs those
for both docker storage and OpenShift volumes.
nfs - This tag will install an NFS server using the playbooks and variables given
The dynamic inventory script uses your pre-existing annotations to determine labels
ocp-configure - The final tag listed will configure your persistent registry and scale
37
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
$ cd ~/git/openshift-ansible-contrib/reference-architecture/vmware-
ansible/
$ ./ocp-on-vmware.py --tag nfs,haproxy,ocp-install,ocp-configure
Configured values:
cluster_id: my_custom_id
console_port: 8443
deployment_type: openshift-enterprise
vcenter_host: 10.x.x.25
vcenter_username: administrator@vsphere.local
vcenter_password:
vcenter_template_name: ocp-server-template-2.0.2
vcenter_folder: ocp36
vcenter_cluster: devel
vcenter_datacenter: Boston
vcenter_datastore: ose3-vmware-prod
vcenter_resource_pool: ocp36
public_hosted_zone: vcenter.example.com
app_dns_prefix: apps
vm_dns: 10.x.x.5
vm_gw: 10.x.x.254
vm_netmask: 255.255.255.0
vm_network: VM Network
rhel_subscription_user: sysengra
rhel_subscription_password:
byo_lb: False
lb_host: haproxy-0.vcenter.example.com
byo_nfs: False
nfs_registry_host: nfs-0.vcenter.example.com
nfs_registry_mountpoint: /registry
apps_dns: apps.vcenter.example.com
Using values from: ./ocp-on-vmware.ini
In the case where NFS and load balancer instance(s) have already been deployed, an option exists
within our INI file to not deploy those services.
$ cd ~/git/openshift-ansible-contrib/reference-architecture/vmware-
ansible/
$ vim ~/git/openshift-ansible-contrib/reference-architecture/vmware-
ansible/ocp-on-vmware.ini
38
CHAPTER 3. PROVISIONING THE INFRASTRUCTURE
Configured values:
cluster_id: my_custom_id
console_port: 8443
deployment_type: openshift-enterprise
vcenter_host: 10.19.114.25
vcenter_username: administrator@vsphere.local
vcenter_password:
vcenter_template_name: ocp-server-template-2.0.2
vcenter_folder: ocp
vcenter_cluster: devel
vcenter_datacenter: Boston
vcenter_resource_pool: OCP3
public_hosted_zone: vcenter.e2e.bos.redhat.com
app_dns_prefix: apps
vm_dns: 10.19.114.5
vm_gw: 10.19.115.254
vm_netmask: 255.255.254.0
vm_network: VM Network
byo_lb: True
lb_host: my-load-balancer
byo_nfs: True
nfs_host: my-nfs-server
nfs_registry_mountpoint: /my-registry
apps_dns: apps.vcenter.e2e.bos.redhat.com
Using values from: ./ocp-on-vmware.ini
Prior to Chapter 4, Operational Management, create DRS anti-affinity rules to ensure maximum
availability for our cluster.
1. Open the VMware vCenter web client, select the cluster, choose configure.
39
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
40
CHAPTER 3. PROVISIONING THE INFRASTRUCTURE
The following VMware documentation goes over creating and configuring anti-affinity rules in depth.
Once the playbooks have successfully completed, the next steps will be to perform the steps defined in
Chapter 4, Operational Management. In the event that OpenShift failed to install, follow the steps in
Appendix C: Appendix E, Installation Failure to restart the installation of OpenShift.
41
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
Lastly, set all of the VMs created to High VM Latency to ensure some additional tuning recommended
by VMware for latency sensitive workloads as described here.
1. Open the VMware vCenter web client and under the virtual machines summary tab, in the 'VM
Hardware' box select 'Edit Settings'.
The OpenShift Registry Console deployment is deployed on any Red Hat OpenShift Container Platform
node by default, so the container may end up running on any of the application nodes.
From the first master instance(ocp3-master-0.example.com), ensure the OpenShift Registry Console
pod runs on the infra nodes by modifying the nodeSelector as follows:
$ oc patch dc registry-console \
-n default \
-p '{"spec":{"template":{"spec":{"nodeSelector":{"role":"infra"}}}}}'
NOTE
There is a bugzilla ID: 1425022 being investigated by Red Hat at the time of writing this
paper to fix this issue.
42
CHAPTER 3. PROVISIONING THE INFRASTRUCTURE
Log into the VMware vCenter client and check the resources.
3 Master nodes
2 Infrastructure nodes
3 Application nodes
NFS Server
HAproxy Server
At this point, the OpenShift URL will be available using the CNAME load balancer entry.
43
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
NOTE
When installing using this method the browser certificate must be accepted three times.
The certificate must be accepted three times due to the number of masters in the
cluster.
44
CHAPTER 4. OPERATIONAL MANAGEMENT
Environment Validation
Validate the public OpenShift load balancer address from the installation system
Validate the public OpenShift load balancer address from the master nodes
Validate the health of the ETCD cluster to ensure all ETCD nodes are healthy
NOTE
Ensure the URLs below and the tag variables match the variables used during
deployment.
$ cd ~/git/openshift-ansible-contrib/reference-architecture/vmware-
ansible/
$ ocp-on-vmware.py --tag ocp-demo
One option to get these hostnames is to run the Section 2.10, Dynamic Inventory script manually and
look at our infra, app and master groups.
To help facilitate the Operational Management Chapter the following hostnames will be used.
ocp3-master-0.example.com
45
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
ocp3-master-1.example.com
ocp3-master-2.example.com
ocp3-infra-0.example.com
ocp3-infra-1.example.com
ocp3-infra-2.example.com
ocp3-app-0.example.com
ocp3-app-1.example.com
ocp3-app-2.example.com
To run diagnostics, SSH into the first master node (ocp3-master-0.example.com). Direct access is
provided to the first master node because of the configuration of the local "~/.ssh/config" file.
$ ssh root@ocp3-master-0.example.com
Connectivity to the first master node (ocp3-master-0.example.com) as the root user should have been
established. Run the diagnostics that are included as part of the install.
# oc adm diagnostics
[Note] Determining if client configuration exists for client/cluster
diagnostics
Info: Successfully read a client config file at '/root/.kube/config'
Info: Using context for cluster-admin access: 'default/haproxy-0-example-
com:8443/system:admin'
[Note] Performing systemd discovery
46
CHAPTER 4. OPERATIONAL MANAGEMENT
NOTE
Based on the results of the diagnostics, actions can be taken to remediate any issues.
The internal DNS names of the nodes running etcd must be used.
SSH into the first master node (ocp3-master-0.example.com). Using the output of the command
hostname, issue the etcdctl command to confirm that the cluster is healthy.
$ ssh root@ocp3-master-0.example.com
# hostname
ocp3-master-0.example.com
# etcdctl -C https://$(hostname):2379 --ca-
file=/etc/origin/master/master.etcd-ca.crt \
--cert-file=/etc/origin/master/master.etcd-client.crt \
--key-file=/etc/origin/master/master.etcd-client.key cluster-health
member d3525253178d331c is healthy: got healthy result from
https://10.19.114.225:2379
member edf71ee725ea87b6 is healthy: got healthy result from
47
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
https://10.19.114.226:2379
member f2e1170c11b5cea8 is healthy: got healthy result from
https://10.19.114.227:2379
NOTE
In this configuration the etcd services are distributed among the OpenShift master
nodes.
SSH into the first master node (ocp-master-0.example.com) to verify the defaultNodeSelector is
defined.
# vi /etc/origin/master/master-config.yaml
...omitted...
projectConfig:
defaultNodeSelector: "role=app"
projectRequestMessage: ""
projectRequestTemplate: ""
...omitted...
NOTE
Any changes to the master configuration require the restart of the master API service
across all master nodes.
At launch time, user-data creates an XFS partition on the /dev/sdc block device, adds an entry in fstab,
and mounts the volume with the option of gquota. If gquota is not set the OpenShift node will not be
able to start with the "perFSGroup" parameter defined below. This disk and configuration is done on
the infrastructure and application nodes. The configuration is not done on the masters due to the
master nodes being unschedulable.
SSH into the first infrastructure node (ocp-infra-0.example.com) to verify the entry exists within fstab.
$ cat /etc/fstab
/dev/sdc /var/lib/origin/openshift.local.volumes xfs gquota 0 0
48
CHAPTER 4. OPERATIONAL MANAGEMENT
The docker-storage-setup file is created at launch time by user-data. This file tells the Docker service
to use /dev/sdb and create the volume group of docker-vol. Docker storage setup is performed on all
master, infrastructure, and application nodes. Notice that the storage Driver is listing overlay2. This is
a new driver option that has been backported to RHEL 7.4
$ cat /etc/sysconfig/docker-storage-setup
DEVS="/dev/sdb"
VG="docker-vol"
DATA_SIZE="95%VG"
STORAGE_DRIVER=overlay2
CONTAINER_ROOT_LV_NAME=dockerlv
CONTAINER_ROOT_LV_MOUNT_PATH=/var/lib/docker
CONTAINER_ROOT_LV_SIZE=100%FREE
The perFSGroup setting restricts the ephemeral EmptyDir volume from growing larger than 512Mi. This
EmptyDir quota is done on the infrastructure and application nodes. The configuration is not done on
the masters due to the master nodes being unschedulable.
$ vi /etc/origin/node/node-config.yml
...omitted...
volumeConfig:
localQuota:
perFSGroup: 512Mi
Perform the following to verify the subscriptions match those defined in the Section 2.6, Required
Channels section:
49
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
!rhel-7-server-ose-3.6-rpms/x86_64
Red Hat OpenShift Container Platform 3.6 (RPMs)
503+20
!rhel-7-server-rpms/7Server/x86_64
Red Hat Enterprise Linux 7 Server (RPMs)
17,202
repolist: 18,362
NOTE
All other repositories are disabled and only those repositories defined in the Ansible role
rhsm are enabled. If you use Red Hat Satellite Server, you will have the additional
Satellite tools repo.
Use the CNAME of the load balancer to access GUI console login.
To deploy an application, click on the new project button. Provide a name and click Create. Next,
deploy the jenkins-ephemeral instant app by clicking the corresponding box. Accept the defaults and
click create. Instructions along with a URL will be provided for how to access the application on the
next screen. Click continue to overview and bring up the management page for the application. Click
on the link provided and access the application to confirm functionality. Wait for the application to
finish deployment.
Install the oc client by visiting the public URL of the OpenShift deployment. For example,
https://haproxy-0.example.com/console/command-line and click latest release. When directed to
https://access.redhat.com, login with the valid Red Hat customer credentials and download the client
relevant to the current workstation. Follow the instructions located on the production documentation
site for getting started with the cli .
A token is required to login using GitHub OAuth and OpenShift. The token is presented on the
https://haproxy-0.example.com/console/command-line page. Click the click to show token hyperlink
and perform the following on the workstation in which the oc client was installed.
50
CHAPTER 4. OPERATIONAL MANAGEMENT
$ oc login https://haproxy-0.example.com --
token=fEAjn7LnZE6v5SOocCSRVmUWGBNIIEKbjD9h-Fv7p09
After the oc client is configured, create a new project and deploy an application.
$ oc new-project test-app
$ oc status
In project test-app on server https://haproxy-0.example.com
Access the application by accessing the URL provided by oc status. The CakePHP application should be
visible now.
51
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
The reason it is failing is because the permissions for that user are incorrect. Get the username and
configure the permissions.
$ oc whoami
Once the username has been established, log back into a master node and enable the appropriate
permissions for your user. Perform the following step from the first master (ocp3-master-
0.example.com).
52
CHAPTER 4. OPERATIONAL MANAGEMENT
stname=ocp3-master-0.example.com,role=master
ocp3-master-1.example.com Ready,SchedulingDisabled 2d
v1.6.1+5115d708d7
beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/ho
stname=ocp3-master-1.example.com,role=master
ocp3-master-2.example.com Ready,SchedulingDisabled 2d
v1.6.1+5115d708d7
beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/ho
stname=ocp3-master-2.example.com,role=master
NOTE
# oc project default
# oc get all
# oc status
In project default on server https://haproxy-0.example.com:8443
https://docker-registry-default.apps.vcenter.e2e.bos.redhat.com
(passthrough) (svc/docker-registry)
dc/docker-registry deploys docker.io/openshift3/ose-docker-
registry:v3.6.173.0.21
deployment #1 deployed 23 hours ago - 1 pod
https://registry-console-default.apps.vcenter.e2e.bos.redhat.com
(passthrough) (svc/registry-console)
dc/registry-console deploys
registry.access.redhat.com/openshift3/registry-console:v3.6
deployment #1 deployed 23 hours ago - 1 pod
Observe the output of oc get all and oc status. Notice that the registry and router information is clearly
listed.
53
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
NOTE
$ oc describe svc/docker-registry
Name: docker-registry
Namespace: default
Labels: docker-registry=default
Selector: docker-registry=default
Type: ClusterIP
IP: 172.30.252.119
Port: 5000-tcp 5000/TCP
Endpoints: 172.16.5.3:5000,172.16.8.2:5000
Session Affinity: ClientIP
No events.
Notice that the registry has two endpoints listed. Each of those endpoints represents a Docker
container. The ClusterIP listed is the actual ingress point for the registries.
NOTE
Once the endpoints are known, go to one of the infra nodes running a registry and grab some
information about it. Capture the container UID in the leftmost column of the output.
# oc get pods
NAME READY STATUS RESTARTS AGE
docker-registry-2-8b7c6 1/1 Running 0 2h
docker-registry-2-drhgz 1/1 Running 0 2h
k8s_registry.90479e7d_docker-registry-2-jueep_default_d5882b1f-5595-11e6-
a247-0eaf3ad438f1_ffc47696
54
CHAPTER 4. OPERATIONAL MANAGEMENT
oc volume dc/docker-registry
deploymentconfigs/docker-registry
pvc/registry-claim (allocated 20GiB) as registry-storage
mounted at /registry
secret/registry-certificates as registry-certificates
mounted at /etc/secrets
The example below can be performed on any node, but for this example the infrastructure node(ocp-
infra-0.example.com) is used.
The output below verifies Docker storage is not using a loop back device.
# docker info
...omitted...
55
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
Architecture: x86_64
Number of Docker Hooks: 3
CPUs: 2
Total Memory: 15.5 GiB
Name: master-0
ID: DTNQ:U22B:R6GN:2ZES:AATU:SYVE:SYQU:6FKS:GATT:I4TI:CV3H:6MJ2
Docker Root Dir: /var/lib/docker
...omitted...
Registries: registry.access.redhat.com (secure), docker.io (secure)
Verify three disks are attached to the instance. The disk /dev/sda is used for the OS, /dev/sdb is used
for Docker storage, and /dev/sdc is used for EmptyDir storage for containers that do not use a
persistent volume.
# fdisk -l
NOTE
Log into the VMware vCenter client. Under VMs and Templates, locate your running ocp3-master-
2.example.com VM, select it, right click and change the state to Power off.
56
CHAPTER 4. OPERATIONAL MANAGEMENT
Ensure the console can still be accessed by opening a browser and accessing haproxy-0.example.com.
At this point, the cluster is in a degraded state because only two out of three master nodes are
running.
$ ssh root@ocp3-master-0.example.com
# hostname
ip-10-20-1-106.ec2.internal
# etcdctl -C https://$(hostname):2379 --ca-
file=/etc/origin/master/master.etcd-ca.crt --cert-
file=/etc/origin/master/master.etcd-client.crt --key-
file=/etc/origin/master/master.etcd-client.key cluster-health
member d3525253178d331c is healthy: got healthy result from
https://10.19.114.225:2379
failed to check the health of member edf71ee725ea87b6 on
https://10.19.114.226:2379: Get https://10.19.114.226:2379/health: dial
tcp 10.19.114.226:2379: i/o timeout
member edf71ee725ea87b6 is unreachable: [https://10.19.114.226:2379] are
all unreachable
member f2e1170c11b5cea8 is healthy: got healthy result from
https://10.19.114.227:2379
Restart ocp3-master-2.example.com by following the same steps in the VMWare console as noted
above.
NOTE
Before bringing down an infrastructure node, check behavior and ensure things are working as
expected. The goal of testing an infrastructure node outage is to see how the OpenShift routers and
registries behave. Confirm the simple application deployed from before is still functional. If it is not,
deploy a new version. Access the application to confirm connectivity. As a reminder, to find the
required information and ensure the application is still running, list the projects, change to the project
that the application is deployed in, get the status of the application which includes the URL and access
the application via that URL.
$ oc get projects
NAME DISPLAY NAME STATUS
openshift Active
57
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
openshift-infra Active
ttester Active
test-app1 Active
default Active
management-infra Active
$ oc project test-app1
Now using project "test-app1" on server "https://haproxy-0.example.com".
$ oc status
In project test-app1 on server https://haproxy-0.example.com
This section is another step to take before initiating the outage of the infrastructure node to ensure
that the registry is functioning properly. The goal is to push to the Red Hat OpenShift registry.
NOTE
Perform the following steps from a CLI on a local workstation and ensure that the oc
client has been configured.
# oc whoami -t
feAeAgL139uFFF_72bcJlboTv7gi_bo373kf1byaAT8
# oc get svc
NAME CLUSTER-IP EXTERNAL-IP PORT(S)
AGE
docker-registry 172.30.195.135 <none> 5000/TCP
23h
kubernetes 172.30.0.1 <none> 443/TCP,53/UDP,53/TCP
23h
registry-console 172.30.203.227 <none> 9000/TCP
23h
router 172.30.253.65 <none> 80/TCP,443/TCP,1936/TCP
23h
58
CHAPTER 4. OPERATIONAL MANAGEMENT
Tag the Docker image with the endpoint from the previous step.
Check the images and ensure the newly tagged image is available.
# docker images
NOTE
Change to the default OpenShift project and check the router and registry pod locations.
# oc project default
Now using project "default" on server "https://haproxy-0.example.com".
# oc get pods
NAME READY STATUS RESTARTS AGE
docker-registry-1-065t9 1/1 Running 0 23h
registry-console-1-h7vsc 1/1 Running 0 23h
router-1-ksxk1 1/1 Running 0 23h
59
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
Node: infra-0/10.19.114.228
Node-Selectors: role=infra
# oc describe pod router-1-ksxk1 | grep -i node
Node: infra-0/10.19.114.228
Node-Selectors: role=infra
NOTE
Log into the VMware console. Under VMs and Templates, locate your running infra-0.example.com VM,
select it, right click and change the state to Power off. Wait a minute or two for the registry and pod to
migrate over to infra-0. Check the registry locations and confirm that they are on the same node.
Follow the procedures above to ensure a Docker image can still be pushed to the registry now that
infra-0 is down.
$ cd ~/git/openshift-ansible-contrib/playbooks
$ vi minor-update.yaml
openshift_rolling_restart_mode: system
60
CHAPTER 4. OPERATIONAL MANAGEMENT
61
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
62
CHAPTER 6. PERSISTENT STORAGE OPTIONS
Starting with OpenShift 3.6 a StorageClass can be created that utilizes the DataStore within the
VMware environment. The ocp-on-vmware script configures a default StorageClass using the same
vcenter_datastore where the VMs are deployed. The vSphere cloud provider configuration is
creating automatically via the ansible playbooks.
The vsphere.conf file contains specific information that relates to the VMWare environment in
which OpenShift is deployed. This file is stored on all nodes of the cluster. The example below shows
the values of an example vsphere.conf. The vsphere.conf file works in conjunction with the
master-config.yaml and node-config.yaml to identify and attach volumes to hosts to be used
for persistent storage.
$ cat /etc/vsphere/vsphere.conf
[Global]
user = "administrator@vsphere.local"
password = "*******"
server = "10.*.*.25"
port = 443
insecure-flag = 1
datacenter = Boston
datastore = ose3-vmware-prod
working-dir = /Boston/vm/ocp36/
[Disk]
scsicontrollertype = pvscsi
$ cat cloud-provider-storage-class.yaml
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: "ose3-vmware-prod"
provisioner: kubernetes.io/vsphere-volume
parameters:
diskformat: zeroedthick
datastore: "ose3-vmware-prod"
63
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
used
to verify the StorageClass exists.
$ oc get sc
NAME TYPE
ose3-vmware-prod kubernetes.io/vsphere-volume
$ oc describe sc ose3-vmware-prod
Name: ose3-vmware-prod
IsDefaultClass: No
Annotations: <none>
Provisioner: kubernetes.io/vsphere-volume
Parameters: datastore=ose3-vmware-prod,diskformat=zeroedthick
Events: <none>
NOTE
This pvc will need to be initiated on the newly created OpenShift cluster.
$ vi storage-class-vmware-claim.yaml
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: ose3-vmware-prod
annotations:
volume.beta.kubernetes.io/storage-class: ose3-vmware-prod
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
$ oc create -f storage-class-vmware-claim.yaml
$ oc describe pvc ose3-vmware-prod
Name: ose3-vmware-prod
Namespace: default
StorageClass: ose3-vmware-prod
Status: Bound
Volume: pvc-cc8a9970-7c76-11e7-ae86-005056a571ee
Labels: <none>
Annotations: pv.kubernetes.io/bind-completed=yes
pv.kubernetes.io/bound-by-controller=yes
volume.beta.kubernetes.io/storage-class=vmware-datastore-ssd
volume.beta.kubernetes.io/storage-provisioner=kubernetes.io/vsphere-
volume
Capacity: 2Gi
64
CHAPTER 6. PERSISTENT STORAGE OPTIONS
While datastores are generally accessible via shared storage to all the nodes of your cluster, the
VMDKs are tied to a specific machine. This explains the ReadWriteOnce limitation of the persistent
storage.
We will use a different NFS share on the same NFS server. Remember, different tiers of storage should
be assigned as needed by different workloads. In this example, we are just providing an outline for any
future PVCs you choose to create.
For more information regarding persistent volume claims on NFS take a look at the documentation.
$ vi nfs-pv.yaml
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv001
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteOnce
nfs:
65
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
path: /pv1
server: nfs-0.example.com
persistentVolumeReclaimPolicy: Recycle
The cluster-admin or storage-admin can then create the PV object using the yaml file.
$ oc create -f nfs-pv.yaml
$ vi nfs-pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: db
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
$ oc create -f nfs-pvc.yaml
persistentvolumeclaim "db" created
$ oc delete pvc db
persistentvolumeclaim "db" deleted
$ oc get pvc db
No resources found.
Error from server: persistentvolumeclaims "db" not found
66
CHAPTER 6. PERSISTENT STORAGE OPTIONS
If the CNS instances will serve dual roles such as hosting application pods and glusterfs pods ensure
the instances have enough resources to support both operations. CNS hardware requirements state
that there must be 32GB of RAM per node or virtual machine. There is a current limit of 300 volumes or
PVs per 3 node CNS cluster.
NOTE
If there is a need to use the CNS instances for application or infrastructure pods the label
role=app can be applied to the nodes. In the adoption phase it is expected that the
platform will run less than 300 PVs and the remaining memory on the 32GB instance is
enough to serve the application pods.
NOTE
Do the following from the workstation performing the deployment of the OCP Reference Architecture.
The ocp-on-vmware.ini file used to create the OpenShift deployment must be in the directory
where add-node.py is ran from. There are two entries in the ocp-on-vmware.ini file that must be
added or modified. They are the vcenter_datastore and container_storage. The VMware
datastore entered is where all of the new OCP CNS nodes or virtual machines will be stored so verify
that this datastore has at least 1TB of available storage.
NOTE
$ cd /root/git/openshift-ansible-contrib/reference-architecture/vmware-
ansible/
$ cat ocp-on-vmware.ini
.omitted.
# folder/cluster/resource pool in vCenter to organize VMs
vcenter_folder=ocp3
67
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
vcenter_datastore=DPLHP380G9-10-SS200-2
vcenter_cluster=OCP3
vcenter_resource_pool=OCP3
vcenter_datacenter=vDPL
.omitted.
# persistent container storage: none, crs, cns
container_storage=cns
$ ./add-node.py --node_type=storage
Configured inventory values:
console_port: 8443
deployment_type: openshift-enterprise
openshift_vers: v3_6
vcenter_host: 172.0.10.246
vcenter_username: administrator@vsphere.local
vcenter_password: *******
vcenter_template_name: ocp-server-template-2.0.2-new
vcenter_folder: ocp3
vcenter_datastore: DPLHP380G9-10-SS200-2
vcenter_cluster: OCP3
vcenter_resource_pool: OCP3
vcenter_datacenter: vDPL
public_hosted_zone: dpl.local
app_dns_prefix: apps
vm_dns: 172.0.10.241
vm_gw: 172.0.10.2
vm_netmask: 255.255.255.0
vm_network: "Private"
rhel_subscription_user: rhn_user
rhel_subscription_pass: *******
rhel_subscription_server:
rhel_subscription_pool: Red Hat OpenShift Container Platform, Premium*
byo_lb: False
lb_host: haproxy-0
byo_nfs: False
nfs_host: nfs-0
nfs_registry_mountpoint: /exports
master_nodes: 3
infra_nodes: 3
app_nodes: 6
storage_nodes: 0
vm_ipaddr_start: 172.0.10.201
ocp_hostname_prefix: ocp3-
auth_type: ldap
ldap_user: openshift
ldap_user_password: *******
ldap_fqdn: dpl.local
openshift_hosted_metrics_deploy: false
openshift_sdn: redhat/openshift-ovs-subnet
containerized: false
container_storage: cns
tag: None
node_number: 1
ini_path: ./ocp-on-vmware.ini
node_type: storage
68
CHAPTER 6. PERSISTENT STORAGE OPTIONS
NOTE
The script above is optional. Instances can be deployed without using this script as long
as the new instances are added to the OCP cluster using the OCP add node playbooks or
using the add-node.py.
$ cat /etc/sysconfig/iptables
.omitted.
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 24007 -j
ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 24008 -j
ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 2222 -j
ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m multiport --dports
49152:49664 -j ACCEPT
.omitted.
69
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
Container-Native Storage service are Red Hat Gluster Storage container pods running on OCP Nodes
managed by a Heketi Service. A single heketi service can manage multiple CNS Trusted Storage
Pools. This is implemented using a DaemonSet, a specific way to deploy containers to ensure nodes
participating in that DaemonSet always run exactly one instance of the glusterfs image as a pod.
DaemonSets are required by CNS because the glusterfs pods must use the hosts networking
resources. The default configuration ensures that no more than one glusterfs pod can run on one
OCP node.
The project name used for this example will be storage but the project name can be whatever value
an administrator chooses.
If the CNS nodes will only be used for CNS then a node-selector should be supplied.
If the CNS nodes will serve the role of being used for both CNS and application pods then a node-
selector does not need to supplied.
An oc adm policy must be set to enable the deployment of the privileged containers as Red Hat
Gluster Storage containers can only run in the privileged mode.
$ oc project storage
$ oc adm policy add-scc-to-user privileged -z default
70
CHAPTER 6. PERSISTENT STORAGE OPTIONS
A heketi topology file is used to create the Trusted Storage Pool. The topology describes the
OpenShift nodes that will host Red Hat Gluster Storage services and their attached storage devices. A
sample topology file topology-sample.json is installed with the heketi-client package in the
/usr/share/heketi/ directory.
NOTE
These activities should be done on the workstation where cns-deploy and heketi-
client were installed. Ensure that the OpenShift client has the cluster-admin privilege
before proceeding.
Below is an example of 3 node topology.json file with /dev/sdd as the VMware volume or device
used for CNS. This file, topology.json is created and placed in the directory where add-node.py -
-node_type=storage is issued from.
$ vi topology.json
{
"clusters": [
{
"nodes": [
{
"node": {
"hostnames": {
"manage": [
"ocp3-app-cns-0.dpl.local"
],
"storage": [
"172.0.10.211"
]
},
"zone": 1
},
"devices": [
"/dev/sdd"
]
},
{
"node": {
"hostnames": {
"manage": [
"ocp3-app-cns-1.dpl.local"
],
"storage": [
"172.0.10.212"
]
},
"zone": 2
},
"devices": [
"/dev/sdd"
]
71
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
},
{
"node": {
"hostnames": {
"manage": [
"ocp3-app-cns-2.dpl.local"
],
"storage": [
"172.0.10.213"
]
},
"zone": 3
},
"devices": [
"/dev/sdd"
]
}
]
}
]
}
$ oc project storage
Already on project "storage" on server "https://ocp3-haproxy-
0.dpl.local:8443".
To launch the deployment of CNS the script cns-deploy will be used. It is advised to specify an admin-
key and user-key for security reasons when launching the topology. Both admin-key and user-
key are user defined values, they do not exist before this step. The heketi admin key (password) will
later be used to create a heketi-secret in OCP. Be sure to note these values as they will be needed
in future operations. The cns-deploy script will prompt the user before proceeding.
Before getting started, this script has some requirements of the execution
environment and of the container platform that you should verify.
The client machine that will run this script must have:
* Administrative access to an existing Kubernetes or OpenShift cluster
* Access to a python interpreter 'python'
* Access to the heketi client 'heketi-cli'
Each of the nodes that will host GlusterFS must also have appropriate
firewall
rules for the required GlusterFS ports:
* 2222 - sshd (if running GlusterFS in a pod)
* 24007 - GlusterFS Daemon
* 24008 - GlusterFS Management
* 49152 to 49251 - Each brick for every volume on the host requires its
own
port. For every new brick, one new port will be used starting at 49152.
72
CHAPTER 6. PERSISTENT STORAGE OPTIONS
We
recommend a default range of 49152-49251 on each host, though you can
adjust
this to fit your needs.
73
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
After successful deploy validate that there are now 3 glusterfs pods and 1 heketi pod in the
storage project.
The first step is to find the endpoint for the heketi service and then set the environment variables for
the route of the heketi server, the heketi cli user, and the heketi cli key.
$ export HEKETI_CLI_SERVER=http://heketi-storage.apps.dpl.local
$ export HEKETI_CLI_USER=admin
$ export HEKETI_CLI_KEY=myS3cr3tpassw0rd
To validate that heketi loaded the topology and has the cluster created execute the following
commands:
Use the output of the cluster list to view the nodes and volumes within the cluster.
74
CHAPTER 6. PERSISTENT STORAGE OPTIONS
To generate the base64-encoded equivalent of the admin password supplied to the cns-deploy
command perform the following.
On the master or workstation with the OpenShift client installed and a user with cluster-admin
privileges use the base64 password string in the following YAML to define the secret in OpenShifts
default project or namespace.
$ vi heketi-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: heketi-secret
namespace: default
data:
key: bXlzZWNyZXRwYXNzdzByZA==
type: kubernetes.io/glusterfs
$ oc create -f heketi-secret.yaml
secret "heketi-secret" created
If Multiple types of CNS storage are desired, additional StorageClass objects can be created to realize
multiple tiers of storage defining different types of storage behind a single heketi instance. This will
involve deploying more glusterfs pods on additional storage nodes (one gluster pod per OpenShift
node) with different type and quality of volumes attached to achieve the desired properties of a tier
(e.g. SSDs for fast storage, magnetic for slow storage). For the examples below we will assume that
only one type of storage is required.
75
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
Perform the following steps from CLI on a workstation or master node where the OpenShift client has
been configured.
$ oc project storage
$ oc get routes heketi
NAME HOST/PORT PATH SERVICES PORT TERMINATION
WILDCARD
heketi heketi-storage.apps.dpl.local heketi <all>
None
$ export HEKETI_CLI_SERVER=http://heketi-storage.apps.dpl.local
$ export HEKETI_CLI_USER=admin
$ export HEKETI_CLI_KEY=myS3cr3tpassw0rd
The StorageClass object requires both the cluster id and the heketi route to be defined to
successfully created. Use the information from the output of heketi-cli cluster list and oc
get routes heketi to fill in the resturl and clusterid. For OpenShift 3.4, the value of clusterid is
not supported for the StorageClass object. If a value is provided the StorageClass object will fail
to create for OpenShift version 3.4. The failure occurs because OpenShift 3.4 can only have a single
TSP or CNS cluster.
OpenShift 3.4
$ vi glusterfs-storageclass-slow.yaml
apiVersion: storage.k8s.io/v1beta1
kind: StorageClass
metadata:
name: gluster-cns-slow
provisioner: kubernetes.io/glusterfs
parameters:
resturl: http://heketi-storage.apps.dpl.local
restauthenabled: "true"
restuser: "admin"
secretNamespace: "default"
secretName: "heketi-secret"
The StorageClass object can now be created using this yaml file.
$ oc create -f glusterfs-storageclass-slow.yaml
OpenShift 3.6
$ vi glusterfs-storageclass-slow.yaml
apiVersion: storage.k8s.io/v1beta1
kind: StorageClass
metadata:
name: gluster-cns-slow
provisioner: kubernetes.io/glusterfs
76
CHAPTER 6. PERSISTENT STORAGE OPTIONS
parameters:
resturl: http://heketi-storage.apps.dpl.local
clusterid: 8578ad5529c354e9d21898cba4c4a1c9
restauthenabled: "true"
restuser: "admin"
secretNamespace: "default"
secretName: "heketi-secret"
The StorageClass object can now be created using this yaml file.
$ oc create -f glusterfs-storageclass-slow.yaml
$ oc new-project persistent
$ oc get storageclass
NAME TYPE
gluster-cns-slow kubernetes.io/glusterfs
$ vi db-claim.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: db-slow
annotations:
volume.beta.kubernetes.io/storage-class: gluster-cns-slow
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
77
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
$ oc create -f db-claim.yaml
persistentvolumeclaim "db-slow" created
NOTE
Creating additional CNS storage deployments is not possible if using OCP 3.4. Only one
CNS and subsequent StorageClass object can be created.
Once the new nodes are available, the next step is to get glusterfs pods up and running on the
additional nodes. This is achieved by extending the members of the DaemonSet defined in the first CNS
deployment. The storagenode=glusterfs label must be applied to the nodes to allow for the
scheduling of the glusterfs pods.
First identify the three nodes that will be added to the CNS cluster and then apply the label.
78
CHAPTER 6. PERSISTENT STORAGE OPTIONS
beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/ho
stname=ocp3-app-cns-4.dpl.local
ocp3-app-cns-5.dpl.local Ready 1h
v1.6.1+5115d708d7
beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/ho
stname=ocp3-app-cns-5.dpl.local
...omitted...
Once the label has been applied then the glusterfs pods will scale from 3 pods to 6. The glusterfs
pods will be running on both the newly labeled nodes and the existing nodes.
$ oc get pods
NAME READY STATUS RESTARTS AGE
glusterfs-2lcnb 1/1 Running 0 26m
glusterfs-356cf 1/1 Running 0 26m
glusterfs-fh4gm 1/1 Running 0 26m
glusterfs-hg4tk 1/1 Running 0 2m
glusterfs-v759z 1/1 Running 0 1m
glusterfs-x038d 1/1 Running 0 2m
heketi-1-cqjzm 1/1 Running 0 22m
Wait until all of the glusterfs pods are in READY 1/1 state before continuing. The new pods are not
yet configured as a CNS cluster. The new glusterfs pods will be a new CNS cluster after the
topology.json file is updated to define the new nodes they reside on and the heketi-cli is
executed with this new topology.json file as input.
$ vi gluster-topology.json
{
"clusters": [
{
"nodes": [
{
... nodes from initial cns-deploy ...
}
]
},
{
"nodes": [
{
"node": {
"hostnames": {
"manage": [
"ocp3-app-cns-3"
],
"storage": [
79
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
"172.0.10.214"
]
},
"zone": 1
},
"devices": [
"/dev/sdd"
]
},
{
"node": {
"hostnames": {
"manage": [
"ocp3-app-cns-4"
],
"storage": [
"172.0.10.215"
]
},
"zone": 2
},
"devices": [
"/dev/sdd"
]
},
{
"node": {
"hostnames": {
"manage": [
"ocp3-app-cns-5"
],
"storage": [
"172.0.10.216"
]
},
"zone": 3
},
"devices": [
"/dev/sdd"
]
}
]
}
]
}
Using heketi-cli load the modified topology.json file via heketi to trigger the creation of a
second cluster using the steps below. The first step is to export the values of the heketi server, user,
and key. The HEKET_CLI_KEY value should be the same as that created for the first cluster (set using
--admin-key for cns-deploy).
$ export HEKETI_CLI_SERVER=http://heketi-storage.apps.dpl.local
$ export HEKETI_CLI_USER=admin
$ export HEKETI_CLI_KEY=myS3cr3tpassw0rd
80
CHAPTER 6. PERSISTENT STORAGE OPTIONS
With these environment variables exported the next step is to load the newly modified
topology.json.
Observe the second cluster being created and verify that there is a new clusterid created in the
console output. Verify you now have a second clusterid and that the correct OCP CNS nodes are in
the new cluster.
$ vi glusterfs-storageclass-fast.yaml
apiVersion: storage.k8s.io/v1beta1
kind: StorageClass
metadata:
name: gluster-cns-fast
provisioner: kubernetes.io/glusterfs
parameters:
resturl: http://heketi-storage.apps.dpl.local
clusterid: 5cc7333acb8824e4a238217b8f360940
restauthenabled: "true"
restuser: "admin"
secretNamespace: "default"
secretName: "heketi-secret"
$ oc create -f glusterfs-storageclass-fast.yaml
81
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
The second StorageClass object will now be available to make storage requests using gluster-cns-
fast when creating the PVC.
$ vi claim2.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: db-fast
annotations:
volume.beta.kubernetes.io/storage-class: gluster-cns-fast
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
4. Add a VMDK volume to each node as an available block device to be used for CRS
5. Create a topology file using virtual machine hostnames and new VMDK device name
82
CHAPTER 6. PERSISTENT STORAGE OPTIONS
8. Modify heketi.json file with user supplied admin and user paswords and other necessary
configuration for passwordless SSH to all CRS nodes
10. Create heketi-secret and new StorageClass object for PVC creation
Do the following from the workstation performing the deployment of the OpenShift Reference
Architecture. The ocp-on-vmware.ini file used to create the OpenShift deployment must be in the
directory where add-node.py is ran from. There are two entries in the ocp-on-vmware.ini file that
must be added or modified. They are the vcenter_datastore and container_storage. The
VMware datastore entered is where all of the new OpenShift CRS nodes or virtual machines will be
stored so verify that this datastore has at least 1TB of available storage.
NOTE
$ cd /root/git/openshift-ansible-contrib/reference-architecture/vmware-
ansible/
$ cat ocp-on-vmware.ini
.omitted.
$ folder/cluster/resource pool in vCenter to organize VMs
vcenter_folder=ocp3
vcenter_datastore=DPLHP380G9-10-SS200-2
vcenter_cluster=OCP3
vcenter_resource_pool=OCP3
vcenter_datacenter=vDPL
.omitted.
$ persistent container storage: none, crs, cns
container_storage=crs
$ ./add-node.py --node_type=storage
Configured inventory values:
console_port: 8443
deployment_type: openshift-enterprise
openshift_vers: v3_6
vcenter_host: 172.0.10.246
vcenter_username: administrator@vsphere.local
vcenter_password: *******
vcenter_template_name: ocp-server-template-2.0.2-new
vcenter_folder: ocp3
vcenter_datastore: DPLHP380G9-10-SS200-2
vcenter_cluster: OCP3
vcenter_resource_pool: OCP3
vcenter_datacenter: vDPL
public_hosted_zone: dpl.local
app_dns_prefix: apps
vm_dns: 172.0.10.241
vm_gw: 172.0.10.2
vm_netmask: 255.255.255.0
83
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
vm_network: "Private"
rhel_subscription_user: rhn_user
rhel_subscription_pass: *******
rhel_subscription_server:
rhel_subscription_pool: Red Hat OpenShift Container Platform, Premium*
byo_lb: False
lb_host: haproxy-0
byo_nfs: False
nfs_host: nfs-0
nfs_registry_mountpoint: /exports
master_nodes: 3
infra_nodes: 3
app_nodes: 6
storage_nodes: 0
vm_ipaddr_start: 172.0.10.201
ocp_hostname_prefix: ocp3-
auth_type: ldap
ldap_user: openshift
ldap_user_password: *******
ldap_fqdn: dpl.local
openshift_hosted_metrics_deploy: false
openshift_sdn: redhat/openshift-ovs-subnet
containerized: false
container_storage: crs
tag: None
node_number: 1
ini_path: ./ocp-on-vmware.ini
node_type: storage
Both admin-key and user-key are user defined values, they do not exist before this step. The heketi
admin key (password) will later be used to create a heketi-secret in OCP. Be sure to note these values
as they will be needed in future operations.
84
CHAPTER 6. PERSISTENT STORAGE OPTIONS
NOTE
Ensure the pool that is specified matches a pool available to the RHSM credentials provided (example
pool ID shown below).
NOTE
# subscription-manager register
# subscription-manager attach --pool=8a85f98156981319015699f0183a253c
# subscription-manager repos --disable=''*
# subscription-manager repos --enable=rhel-7-server-rpms
# subscription-manager repos --enable=rh-gluster-3-for-rhel-7-server-rpms
NOTE
85
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
NOTE
If the add-node.py with option --node_type=storage was used all of the following
steps up to the next section Loading Topology File will be automatically
completed.
Create the heketi private key on the instance designated to run heketi.
Copy the contents of the /etc/heketi/heketi_key.pub into a clipboard and login to each CRS
node and paste the contents of the clipboard as a new line into the /root/.ssh/authorized_keys
file. Also make sure on each CRS node to modify the /etc/ssh/sshd_config file to allow root
passwordless ssh access (enable PermitRootLogin and RSAAuthentication) and restart
sshd.service. This must be done on all 3 instances including the CRS node where the heketi services
are running. Also, on each of the 3 virtual machines requiretty must be disabled or removed in
/etc/sudoers to allow for management of those hosts using sudo. Ensure that the line below either
does not exist in sudoers or that it is commented out.
$ visudo
... omitted ...
#Defaults requiretty
... omitted ...
On the node where Heketi was installed, edit the /etc/heketi/heketi.json file to setup the SSH
executor and the admin and user keys. The heketi admin key (password) will be used to create a
heketi-secret in OCP. This secret will then be used during the creation of the StorageClass
object.
$ vi /etc/heketi/heketi.json
... omitted ...
"_use_auth": "Enable JWT authorization. Please enable for deployment",
86
CHAPTER 6. PERSISTENT STORAGE OPTIONS
"use_auth": true,
"glusterfs": {
"_executor_comment": [
"Execute plugin. Possible choices: mock, ssh",
"mock: This setting is used for testing and development.",
" It will not send commands to any node.",
"ssh: This setting will notify Heketi to ssh to the nodes.",
" It will need the values in sshexec to be configured.",
"kubernetes: Communicate with GlusterFS containers over",
" Kubernetes exec api."
],
"executor": "ssh",
"_sshexec_comment": "SSH username and private key file information",
"sshexec": {
"keyfile": "/etc/heketi/heketi_key",
"user": "root",
"port": "22",
"fstab": "/etc/fstab"
},
... omitted ...
Restart and enable heketi service to use the configured /etc/heketi/heketi.json file.
The heketi service should now be running. Heketi provides an endpoint to perform a health check.
This validation can be done from either an OCP master or from any of the CRS nodes. The hostname is
the CRS node where Heketi is installed, in this case ocp3-crs-0.dpl.local.
$ curl http://ocp3-crs-0.dpl.local:8080/hello
Hello from Heketi
87
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
NOTE
$ vi topology.json
{
"clusters": [
{
"nodes": [
{
"node": {
"hostnames": {
"manage": [
"ocp3-crs-0.dpl.local"
],
"storage": [
"172.0.10.211"
]
},
"zone": 1
},
"devices": [
"/dev/sdd"
]
},
{
"node": {
"hostnames": {
"manage": [
"ocp3-crs-1.dpl.local"
],
"storage": [
"172.0.10.212"
]
},
"zone": 2
},
"devices": [
"/dev/sdd"
]
},
{
"node": {
"hostnames": {
"manage": [
"ocp3-crs-2.dpl.local"
],
"storage": [
"172.0.10.213"
]
},
"zone": 3
},
88
CHAPTER 6. PERSISTENT STORAGE OPTIONS
"devices": [
"/dev/sdd"
]
}
]
}
]
}
$ export HEKETI_CLI_SERVER=http://ocp3-crs-0.dpl.local:8080
$ export HEKETI_CLI_USER=admin
$ export HEKETI_CLI_KEY=myS3cr3tpassw0rd
Using heketi-cli, run the following command to load the topology of your environment.
The command gluster volume info can provide further information on the newly created
Gluster volume. Issue this command for one of the CRS nodes.
89
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
Type: Replicate
Volume ID: 8d9f94a4-9d64-4fa5-b376-2f5a7861ca39
Status: Started
Snapshot Count: 0
Number of Bricks: 1 x 3 = 3
Transport-type: tcp
Bricks:
Brick1:
172.0.10.211:/var/lib/heketi/mounts/vg_9a56433faa906302dbfa37776e321f30/br
ick_304bc8a12bc7356500d5752b2ee3eebf/brick
Brick2:
172.0.10.212:/var/lib/heketi/mounts/vg_b991283f0fc801e21ab154373e03027d/br
ick_b73fd447db6d00b3caca237ced4ebfbe/brick
Brick3:
172.0.10.213:/var/lib/heketi/mounts/vg_d15c1d4861eac16697eb311fa51b0dde/br
ick_1386645297de95f526433e254fa0349f/brick
Options Reconfigured:
transport.address-family: inet
performance.readdir-ahead: on
nfs.disable: on
To generate the base64-encoded equivalent of the admin password supplied to the cns-deploy
command perform the following.
On the master or workstation with the OCP client installed with cluster-admin privileges use the
base64 password string in the following YAML to define the secret in OCPs default namespace.
NOTE
$ vi heketi-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: heketi-secret
namespace: default
data:
key: bXlTM2NyM3RwYXNzdzByZA==
type: kubernetes.io/glusterfs
90
CHAPTER 6. PERSISTENT STORAGE OPTIONS
$ oc create -f heketi-secret.yaml
secret "heketi-secret" created
NOTE
$ vi storageclass.yaml
apiVersion: storage.k8s.io/v1beta1
kind: StorageClass
metadata:
name: crs-gluster
provisioner: kubernetes.io/glusterfs
parameters:
resturl: "http://ocp3-crs-0.dpl.local:8080"
restauthenabled: "true"
restuser: "admin"
secretNamespace: "default"
secretName: "heketi-secret"
Once the Storage Class json file has been created use the oc create command to create the
object in OpenShift.
$ oc create -f storageclass.yaml
$ oc get storageclass
NAME TYPE
crs-gluster kubernetes.io/glusterfs
91
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
0.dpl.local:8080,restuser=admin,secretName=heketi-
secret,secretNamespace=default
No events.
$ vi db-claim.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: db
annotations:
volume.beta.kubernetes.io/storage-class: crs-gluster
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
$ oc create -f db-claim.yaml
persistentvolumeclaim "db" created
$ oc new-project rwo
The mysql-persistent template will be used for deploying MySQL. The first step is to check to see if the
template is available for use.
Export the default mysql-persistent template content into a yaml file. The OpenShift client can provide
a view of the available parameters for this template.
92
CHAPTER 6. PERSISTENT STORAGE OPTIONS
View the contents of the yaml file and add the lines below to identify the StorageClass object the
MySQL PVC will be created from. If these lines are not added the default StorageClass object will be
used.
NOTE
Any of the StorageClass objects created in this reference architecture can be used.
$ vi mysql-persistent.yaml
. omitted .
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: ${DATABASE_SERVICE_NAME}
annotations:
volume.beta.kubernetes.io/storage-class: gluster-cns-fast
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: ${VOLUME_CAPACITY}
. omitted .
Create a deployment manifest from the mysql-persistent.yaml template file and view contents.
Make sure to modify the storage: ${VOLUME_CAPACITY} to be the desired size for the database (1Gi
is default value).
Using the deployment manifest, create the the objects for the MySQL application.
$ oc create -f cns-mysql-persistent.yaml
secret "mysql" created
service "mysql" created
persistentvolumeclaim "mysql" created
deploymentconfig "mysql" created
93
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
$ oc describe dc mysql
. omitted .
Volumes:
mysql-data:
Type: PersistentVolumeClaim (a reference to a PersistentVolumeClaim in
the same namespace)
ClaimName: mysql
ReadOnly: false
. omitted .
$ oc volumes dc mysql
deploymentconfigs/mysql
pvc/mysql (allocated 1GiB) as mysql-data
mounted at /var/lib/mysql/data
The option also exists to connect to the running pod to view the storage that is currently in use.
$ oc rsh mysql-1-4tb9g
sh-4.2$ df -h /var/lib/mysql/data
Filesystem Size Used Avail Use%
Mounted on
10.20.4.40:vol_e9b42baeaaab2b20d816b65cc3095558 1019M 223M 797M 22%
/var/lib/mysql/data
$ oc new-project rwx
$ oc new-app openshift/php:7.0~https://github.com/christianh814/openshift-
php-upload-demo --name=demo
--> Found image d3b9896 (2 weeks old) in image stream "openshift/php"
under tag "7.0" for "openshift/php:7.0"
94
CHAPTER 6. PERSISTENT STORAGE OPTIONS
-----------------------
Platform for building and running PHP 7.0 applications
Validate that the build is complete and the pods are running.
$ oc get pods
NAME READY STATUS RESTARTS AGE
demo-1-build 0/1 Completed 0 20s
demo-1-sch77 1/1 Running 0 7s
The next step is to retrieve the name of the OpenShift svc which will be used to create a route.
$ oc get svc
NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE
demo 172.30.211.203 <none> 8080/TCP 1m
$ oc expose svc/demo
route "demo" exposed
OpenShift will create a route based on the application name, project, and wildcard zone. This will be the
URL that can be accessed by browser.
$ oc get route
NAME HOST/PORT PATH SERVICES PORT
TERMINATION WILDCARD
demo demo-rwx.apps.dpl.local demo 8080-tcp
None
Using a web browser validate the application using the route defined in the previous step.
95
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
$ oc get pods
96
CHAPTER 6. PERSISTENT STORAGE OPTIONS
$ oc get pods
NAME READY STATUS RESTARTS AGE
demo-1-build 0/1 Completed 0 7m
demo-1-sch77 1/1 Running 0 7m
demo-1-sdz28 0/1 Running 0 3s
Login to the newly created pod and view the uploaded directory.
$ oc rsh demo-1-sdz28
sh-4.2$ cd uploaded
sh-4.2$ pwd
/opt/app-root/src/uploaded
sh-4.2$ ls -lh
total 0
The uploaded file is not available to this newly created second pod because the storage is local to the
pod, demo-1-sch77. In the next steps, the storage for the pods will be changed from local or ephemeral
storage to a RWX persistent volume claim for the mount point /opt/app-root/src/uploaded.
First, add a persistent volume claim to the project. The existing OCP StorageClass object created for
a CNS cluster (gluster-cns-slow) will be used to create a PVC with the access mode of RWX.
NOTE
$ vi app-claim.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: app
annotations:
volume.beta.kubernetes.io/storage-class: gluster-cns-slow
spec:
accessModes:
- ReadWriteMany
97
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
resources:
requests:
storage: 10Gi
Using the app-claim.yaml file use the OCP client to create the PVC.
$ oc create -f app-claim.yaml
persistentvolumeclaim "app" created
Now that the PVC exists tie the claim to the deployment configuration using the existing mount path
/opt/app-root/src/uploaded for demo pods.
A new deployment is created using the PVC and there are two new demo pods
$ oc get pods
NAME READY STATUS RESTARTS AGE
demo-1-build 0/1 Completed 0 16m
demo-2-9cv88 1/1 Running 0 8s
demo-2-m1mwt 1/1 Running 0 13s
Now there is a persistent volume allocated using the gluster-cns-slow storage class and mounted at
/opt/app-root/src/uploaded on the demo-2 pods.
$ oc volumes dc demo
deploymentconfigs/demo
pvc/app (allocated 10GiB) as persistent-volume
mounted at /opt/app-root/src/uploaded
Using the route for the demo-2 deployment upload a new file.
98
CHAPTER 6. PERSISTENT STORAGE OPTIONS
Now login to both pods and validate that both pods can read the newly uploaded file.
$ oc rsh demo-2-9cv88
sh-4.2$ df -h
Filesystem
Size Used Avail Use% Mounted on
.omitted.
172.0.10.231:vol_a3c4d6122b7ef970b5c301fac1f18621
10G 34M 10G 1% /opt/app-root/src/uploaded
sh-4.2$ cd /opt/app-root/src/uploaded
sh-4.2$ ls -lh
total 812K
-rw-r--r--. 1 1000070000 root 809K Jul 5 21:16 putty.exe
$ oc rsh demo-2-m1mwt
Filesystem
Size Used Avail Use% Mounted on
.omitted.
172.0.10.231:vol_a3c4d6122b7ef970b5c301fac1f18621
10G 34M 10G 1% /opt/app-root/src/uploaded
sh-4.2$ cd /opt/app-root/src/uploaded
sh-4.2$ ls -lh
total 812K
-rw-r--r--. 1 1000070000 root 809K Jul 5 21:16 putty.exe
99
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
$ oc get pods
NAME READY STATUS RESTARTS AGE
demo-1-build 0/1 Completed 0 43m
demo-2-9cv88 1/1 Running 0 26m
demo-2-kcc16 1/1 Running 0 5s
demo-2-m1mwt 1/1 Running 0 27m
Login to the third pod and validate the uploaded file exists.
$ oc rsh demo-2-kcc16
sh-4.2$ cd uploaded
sh-4.2$ ls -lh
total 809K
-rw-r--r--. 1 1000070000 2000 809K Jul 5 22:38 putty.exe
100
CHAPTER 7. EXTENDING THE CLUSTER
$ oc get nodes
NAME STATUS AGE
VERSION
master-0.example.com Ready,SchedulingDisabled 14m
v1.6.1+5115d708d7
master-1.example.com Ready,SchedulingDisabled 14m
v1.6.1+5115d708d7
master-2.example.com Ready,SchedulingDisabled 14m
v1.6.1+5115d708d7
infra-0.example.com Ready 14m
v1.6.1+5115d708d7
infra-1.example.com Ready 14m
v1.6.1+5115d708d7
infra-2.example.com Ready 14m
v1.6.1+5115d708d7
app-0.example.com Ready 14m
v1.6.1+5115d708d7
app-1.example.com Ready 14m
v1.6.1+5115d708d7
app-2.example.com Ready 14m
v1.6.1+5115d708d7
$ ./add-node.py --help
usage: add-node.py [-h] [--node_type NODE_TYPE] [--node_number
NODE_NUMBER]
[--create_inventory] [--no_confirm NO_CONFIRM] [--tag
TAG]
[--verbose]
101
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
optional arguments:
-h, --help show this help message and exit
--node_type NODE_TYPE
Specify the node label: app, infra, storage
--node_number NODE_NUMBER
Specify the number of nodes to add
--create_inventory Helper script to create json inventory file and
exit
--no_confirm NO_CONFIRM
Skip confirmation prompt
--tag TAG Skip to various parts of install valid tags
include:
- vms (create vms for adding nodes to cluster
or CNS/CRS)
- node-setup (install the proper packages on
the CNS/CRS nodes)
- heketi-setup (install heketi and config on
the crs master/CRS ONLY)
- heketi-ocp (install the heketi secret and
storage class on OCP/CRS ONLY)
- clean (remove vms and unregister them from
RHN also remove storage classes or secrets
--verbose Verbosely display commands
NOTE
The storage node_type is available to add persistent storage to the OCP cluster using
container native storage CNS or container ready storage CRS. Please see the chapters
involving persistent storage for more information about this options.
$ ./add-node.py --node_type=app
Configured inventory values:
cluster_id: 3e06olsus6x2rbgcxw4t
console_port: 8443
deployment_type: openshift-enterprise
openshift_vers: v3_6
...omitted...
node_number: 1
ini_path: ./ocp-on-vmware.ini
node_type: app
102
CHAPTER 7. EXTENDING THE CLUSTER
ip4addr: 10.x.x.230
tag: app
$ *./add-node.py --node_type=infra
$ oc get nodes
NAME STATUS AGE
master-0.example.com Ready,SchedulingDisabled 14m
v1.6.1+5115d708d7
master-1.example.com Ready,SchedulingDisabled 14m
v1.6.1+5115d708d7
master-2.example.com Ready,SchedulingDisabled 14m
v1.6.1+5115d708d7
infra-0.example.com Ready 14m
v1.6.1+5115d708d7
infra-1.example.com Ready 14m
v1.6.1+5115d708d7
infra-2.example.com Ready 14m
v1.6.1+5115d708d7
103
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
104
CHAPTER 8. CONCLUSION
CHAPTER 8. CONCLUSION
Red Hat solutions involving Red Hat OpenShift Container Platform are created to deliver a production-
ready foundation that simplifies the deployment process, shares the latest best practices, and provides
a stable highly available environment on which to run your production applications.
OpenShift masters spread across multiple VMware cluster nodes utilizing anti-affinity pinning
rules
Infrastructure nodes spread across multiple VMware cluster nodes with router and registry
pods scaled accordingly
Native integration with existing services and the capacity to create those services if need be
HAproxy load balancer for the master instances and for the infrastructure instances
Native integration with VMware services like VMDK disks, HA, SIOC
Creation of applications
Testing failover
For any questions or concerns, please email refarch-feedback@redhat.com and ensure to visit the Red
Hat Reference Architecture page to find about all of our Red Hat solution offerings.
105
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
106
APPENDIX B. CONTRIBUTORS
APPENDIX B. CONTRIBUTORS
Christoph Goern, content provider
Red Hat would also like to thank Western Digital for use of their Data Propulsion Lab during the
creation of this reference architecture. Please visit wdc.com (link) for more information on Western
Digital enterprise HDD products, and sandisk.com/business (link) for more information on Western
Digital enterprise SSD products.
107
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
$ vim ~/openshift-ansible-contrib/reference-architecture/vmware-
ansible/ocp-on-vmware.ini
$ cd ~/openshift-ansible-contrib/reference-architecture/vmware-ansible/ &&
./ocp-on-vmware.py --create_ocp_vars
$ cd ~/openshift-ansible-contrib/reference-architecture/vmware-ansible/ &&
./ocp-on-vmware.py --create_inventory
$ cd ~/openshift-ansible-contrib/reference-architecture/vmware-ansible/ &&
./ocp-on-vmware.py
$ cd ~/openshift-ansible-contrib/reference-architecture/vmware-ansible/ &&
./ocp-on-vmware.py --tag ocp-demo
If installation fails during the ./ocp-on-vmware.py run by itself, it can be re-run safely.
108
APPENDIX D. TROUBLESHOOTING ANSIBLE BY RED HAT
ocp-on-vmware.py -vvvvvv : the very verbose option gives obfuscated additional information
about the Ansible run.
This can be helpful in determining connection issues or run book play errors.
If there is a failure during the playbook, occasionally the playbooks may be rerun.
109
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
E.1. INVENTORY
The manual inventory is used with the uninstall playbook to identify OpenShift nodes.
vi ~/inventory
[OSEv3:children]
masters
etcd
nodes
[OSEv3:vars]
openshift_master_cluster_hostname="internal-openshift-master.{{
public_hosted_zone }}"
openshift_master_cluster_public_hostname="openshift-master.{{
public_hosted_zone }}"
osm_default_subdomain="{{ wildcard_zone }}"
deployment_type=openshift-enterprise
openshift_debug_level="{{ debug_level }}"
openshift_node_debug_level="{{ node_debug_level | default(debug_level,
true) }}"
openshift_master_debug_level="{{ master_debug_level | default(debug_level,
true) }}"
openshift_master_access_token_max_seconds=2419200
openshift_master_api_port="{{ console_port }}"
openshift_master_console_port="{{ console_port }}"
osm_cluster_network_cidr=172.16.0.0/16
osm_use_cockpit=false
openshift_registry_selector="role=infra"
openshift_router_selector="role=infra"
openshift_master_cluster_method=native
openshift_cloudprovider_kind=vmware
[masters]
master-0.vcenter.e2e.bos.redhat.com openshift_node_labels="{'role':
'master'}"
master-1.vcenter.e2e.bos.redhat.com openshift_node_labels="{'role':
'master'}"
master-2.vcenter.e2e.bos.redhat.com openshift_node_labels="{'role':
'master'}"
[etcd]
master-0.vcenter.e2e.bos.redhat.com
master-1.vcenter.e2e.bos.redhat.com
master-2.vcenter.e2e.bos.redhat.com
[nodes]
master-0.vcenter.e2e.bos.redhat.com openshift_node_labels="{'role':
'master'}"
master-1.vcenter.e2e.bos.redhat.com openshift_node_labels="{'role':
'master'}"
master-2.vcenter.e2e.bos.redhat.com openshift_node_labels="{'role':
110
APPENDIX E. INSTALLATION FAILURE
'master'}"
infra-0.vcenter.e2e.bos.redhat.com openshift_node_labels="{'role':
'infra'}"
infra-1.vcenter.e2e.bos.redhat.com openshift_node_labels="{'role':
'infra'}"
app-0.vcenter.e2e.bos.redhat.com openshift_node_labels="{'role': 'app'}"
app-1.vcenter.e2e.bos.redhat.com openshift_node_labels="{'role': 'app'}"
app-2.vcenter.e2e.bos.redhat.com openshift_node_labels="{'role': 'app'}"
$ cd ~/git/openshift-ansible-contrib/reference-architecture/vmware-
ansible/ && ./ocp-on-vmware.py --tag ocp-install
$ cd ~/git/openshift-ansible-contrib/reference-architecture/vmware-
ansible/ && ./ocp-on-vmware.py --clean
There are a couple of recurring reasons why the deployment might fail: The current OCP user doesnt
have permission in the current project. The OCP app nodes dont have connectivity to the Red Hat
Registry to download the GlusterFS container images. The firewall rules on the app nodes is blocking
traffic on one or more ports. The initialization of the block devices referenced in the topology fails
because there are some unexpected partitioning structures. Use the following command to completely
wipe the disk of VMware virtual machines being used for CNS cluster deployments.
111
Reference Architectures 2017 Deploying and Managing OpenShift Container Platform 3.6 on VMware vSphere
An alternative reason for failure could be the device specified is already part of a LVM volume group
(potentially due to a previous failed run of the cns-deploy installer), remove it with the following
commands on the OCP node that the device(s) is connected to (i.e. ocp3-app-cns-3). This must be
done on all nodes referenced in the topology.json file.
$ lvremove -y vg_xxxxxxxxxxxxxxxx
$ pvremove /dev/<block-device>
112
APPENDIX F. REVISION HISTORY
113